Impact of duplicated HTTP headers on the security of web applications


Supervision: Marcus Niemietz

More details: [Paper download]


When communicating with a web client, the server uses different HTTP headers. These headers can increase the security of the web application and protect the client from various threats. For example, when setting "X-Frame-Options: deny" header, the browser must not include the delivered content in a frame. The "Strict-Transport-Security" header ensures that the web content can only be accessed using TLS. CORS precisely defines, which resorces can be accessed from foreign origins...

Everything should work fine when the server sends appropriate headers. However, what happens if the server duplicates specific headers? This scenario is not rare since web applications are typically hosted on several server instances and the HTTP headers can be set at any instance in the chain.

The goal of this thesis is to:

  • Analyze web clients how they process duplicated HTTP headers.
  • Perform a large-scale scan of the web ecosystem and evaluate the impact of the dulicated headers.


  • Interest in web security and web attacks
  • CTF player